This week we bring to our readers worldwide incisive essays by pre-eminent IT professionals dissecting the multifaceted problems confronting the sector at this time. We shall be deluded to think that despite their wealth of experience and deep knowledge of their operational terrains, you would swallow hook line and sinker all they have written about, but if you don’t agree with what they have to say, then send us a rejoinder or start a debate on any burning industry issue(s) you are passionate about via This email address is being protected from spambots. You need JavaScript enabled to view it.. It’s a parade of the industry stars this week…or what do you think?
Protect your business from state-sponsored attacks
CALUM MACLEOD, EMEA DIRECTOR, VENAFI
It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs. The result; a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right. After all, each appliance needs and produces its own unique type of coffee. And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralized Coffee Management) system is essential.
And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around - and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety. The result is more management systems than the average household’s coffee machines.
Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.
The Dark Side
And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.
Can we defend ourselves against state-sponsored attacks?
Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.
But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.
The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.
So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest). No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.
Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.
Can we still protect critical infrastructure from attack in the digital age?
If malware is the Cyber-terrorist weapon of the 21st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.
So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it
According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”
The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” - and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!
So my advice is, as George Orwell wrote in “1984” - “If you want to keep a secret, you must also hide it from yourself.”
Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.
Before joining Venafi as Emea Director, he built up sales and managed the Channel market across Emea for Tufin. Calum held a similar position for Cyber-Ark where he also held an evangelist role in spreading their message as well as increasing sales throughout Europe. Previous to that role he worked for Netilla Networks, now AEP where he was responsible for leading some of the early SSL VPN projects in Europe. MacLeod has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.
Combating Cyber-Attacks Against the Financial Community
How Banks Can Maintain Information Security by Bolstering Internal Controls
BY BALA VENKATRAMANI, MARKETING MANAGER, MANAGEENGINE PASSWORD MANAGER PRO
News media in the U.S. are abuzz with stories about cyber-attacks on top banks as financial institutions emerge as the prime targets of cyber-criminals. Reports suggest that since September 2012, cyber-attacks on bank networks have exploded.
Actually, banking and other financial institutions have always been a top target of hackers. During the past few years, renowned banking organizations across the globe have fallen prey to criminal hacks. Beyond huge financial losses, the victims suffer irreparable damage to their trust and credibility, the hallmarks of financial institutions.
The hackers’ predominant activities include spreading malware infections, syphoning of login credentials and denial of service attacks that disrupt service to legitimate users. The traditional security attack channels include viruses, keylogger trojans and cross-site scripting. The Trojans monitor keystrokes, log them to a file and send them to remote attackers. Scripting, on the other hand, enables malicious attackers to inject client-side script into web pages viewed by other users and exploit the information to bypass access controls.
Evolving Attack Patterns
Perimeter security software and traffic analysis solutions help in combating traditional attack vectors. However, hackers are starting to change their modus operandi. Cyber-criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).
Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorized wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.
Another emerging threat is sabotage caused by the insiders at the financial institutions. Disgruntled staff, greedy techies and sacked employees have all been involved in cyber security incidents. Clearly, breaches of trust can occur anywhere, leading to grave consequences.
In internal and external attacks alike, unauthorized access and misuse of privileged passwords — the ‘keys to the kingdom’ — have emerged as the main activities. Administrative passwords, system default accounts and hard-coded credentials in scripts and applications have all become the prime targets of cyber-criminals.
Overlooking Privileged Passwords
While internal and external hackers are exploiting administrative passwords with increasing frequency, many financial institutions fail to recognize the importance of this crucial aspect of privileged password management. Passwords of enterprise IT resources are often stored in spreadsheets, text files, homegrown tools, papers or even in physical vaults. Yet these volatile sources are inherently insecure and do little to enhance data security or business reputation.
Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a ‘shared’ environment. This is a standard practice, which leaves a group of administrators to use a common privileged account to access a given resource.
Apart from the ‘officially shared’ passwords, users also tend to reveal administrative passwords to their colleagues, unofficially, for some reason or other. The most common reason for unofficial sharing of a password is to handle an emergency, e.g., an IT manager may reveal the password to a senior member when the manager is on vacation.
Developers, help desk technicians and even third-party vendors may require access to privileged passwords purely on a temporary basis. The passwords are often supplied via email or over the phone, both of which are highly insecure media. Worse, there is no process to revoke access and reset the password after the temporary usage, leaving an even bigger security hole.
Privileged password negligence often proves costly. Haphazard password management makes the enterprise a paradise for hackers inside and outside the financial organization. Many security breaches stem from inadequate password management policies, access restrictions and internal controls.
Tightening Internal Controls
Combating sophisticated cyber-attacks demands a multi-pronged strategy incorporating an exhaustive set of activities. Financial institutions need to deploy security devices, enforce security policies, control access to resources, monitor events, analyze logs, detect vulnerabilities, manage patches, track changes, ensure compliance and monitor traffic among other activities.
Of all the combat measures, bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should strictly be based on job roles and responsibilities. But access restrictions alone are not enough and must be supplemented with clear-cut trails that reveal ‘who’ accessed ‘what’ and ‘when.’ Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.
One of the effective ways to bolster internal controls is automating the entire lifecycle of privileged access management and systematically enforcing best practices. Privileged password managers like ManageEngine’s Password Manager Pro replace manual practices and automatically assist with securely storing privileged identities in a central vault, selectively sharing passwords, enforcing policies and above all, restricting access to and establishing total control over privileged identities. Enterprise-class password managers offer advanced protection of IT resources by helping establish access controls to IT infrastructure, and seamlessly video recording and monitoring all user actions during privileged sessions, providing complete visibility on privileged access.
Bolstering internal controls as detailed above will ensure that privileged identities will not be compromised — even if a hacker manages to penetrate the perimeter. Similarly, the threats due to attacks by malicious insiders are greatly mitigated.
Staying Vigilant
Once internal controls have been tightened, financial institutions must remain vigilant and keep an eye on activities going on inside and around them. Logs from critical systems carry vital information that could prove effective in preventing security incidents. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations and other incidents. Monitoring network activity to establish real-time situational awareness is essential to enterprise security.
Of course, not all security incidents can be prevented or avoided. Nor can privileged password management thwart all cyber security incidents. However, too many security incidents occur as a result of lax internal controls — poor password management, in particular — and those violations can certainly be prevented. It’s time for IT organizations to take the bull’s eye off of the financial community networks and data and enforce some enterprise-class password protection.
Records Management in Microsoft SharePoint
BY ANTONIO MAIO, MICROSOFT SHAREPOINT SERVER MVP AND SENIOR PRODUCT MANAGER, TITUS
AM
According to a 2011 AIIM survey, organizations are experiencing a 23% yearly growth in electronic records. This rapid growth presents a challenge to organizations that must comply with records management regulations while ensuring that the right people are accessing the right information.
To address this challenge, many organizations are looking to Microsoft SharePoint. With its powerful record-keeping capabilities, organizations can now manage their records using the same platform as they use for everyday collaboration and document management
Records Management is one of the most popular drivers for using Microsoft SharePoint. Despite how much has been written on this, Records Management is sometimes confused with Document or Content Management, but it is in fact quite a unique discipline with its own best practices and processes. Microsoft SharePoint provides some great features to enable these processes, and it provides enterprises with the appropriate controls for the data and documents that they declare to be corporate records.
A record refers to a document or some other piece of data in an enterprise (electronic or physical) that provides evidence of a transaction or activity taking place, or some corporate decision that was made. A record requires that it be retained by the organization for some period of time. This is often a legal or regulatory compliance requirement. As well, a record by definition must be immutable, which means that once a document or piece of data is declared to be a record, it must remain unchanged.
The period for which records are retained, along with the process followed once that time period has expired, is a critical requirement for records management. There are legal and business implications to consider when content is kept too long. The business policy could be that after X years, a record is archived and then after Y years from that point it is disposed (which could include deletion or moving it to offline long-term storage). Again, establishing this policy requires planning and getting agreement from stakeholders, especially around any legal, regulatory compliance, revenue or tax implications.
The requirements for records immediately suggest certain processes that must be in place to ensure that records are managed appropriately from several perspectives: business, auditing/legal, tax, revenue, and even business continuity. As we often find, for business processes to be applied consistently across all SharePoint content or records, automation is a key requirement, as well as making appropriate use of metadata.
The first step in implementing records management in SharePoint is to define a file plan, which typically includes:
- A description of the types of documents that the organization considers to be records
- A taxonomy for categorizing the records
- Retention policies that define how long a record will be kept and how to handle disposition
- Information about who owns the record throughout its information lifecycle, and who should have access to the record
It is important to determine what type of content should be considered a record. For example, if I am working on a new HR policy for next year, my initial draft and its various iterations should likely not be considered records because they are still changing – they are not yet approved or final, nor can I make any decisions based on those preliminary versions. But once my HR plan is ‘approved’ or considered ‘final’ then it can be declared a record because I can now base corporate decisions on it. Establishing a policy around what type of data is a record requires planning, meeting with appropriate stakeholders and agreeing on policy that’s communicated to everyone that may be declaring content as a record.
Once the organization has defined what information it wants to preserve as records, SharePoint 2010 provides several methods to declare a record and implement record retention policies. These include the Records Center site, which is a SharePoint site dedicated to centrally storing and managing records. It provides many features that are critical to implementing a records management system, including a dashboard view at the site level for Records Managers with searching capabilities and integration with the Content Organizer for routing records within the site. Depending on the business need, it may make sense to centralize records management and storage in the Records Center. This is particularly true if the business demands that a small number of users be considered “Record Managers” and it is their role alone to declare content as records.
A second method involves declaring records “in-place”. This feature allows individual users to declare content as records in their current SharePoint location. Records do not need to be moved or added to a central Records Center site, nor do they need to be routed within the Records Center. This is a trend in the records management space, because it allows users to continue to find content where it resides, based on its business nature, topic or properties. One drawback of this approach is that end users – who are typically not records managers - may be apprehensive about declaring records, due to the official and legal nature of a record.
The powerful recordkeeping capabilities in SharePoint give organizations an effective enterprise records management system. SharePoint contains valuable features that can be used to define the appropriate records and retention policies for the business.
The CISO as the Man-in-the-Middle
MICHAEL THELANDER, DIRECTOR, PRODUCT MANAGEMENT, TRIPWIRE
MT
Synopsis: The CISO has become the new Man-in-the-Middle, increasingly caught between the Executive World where they must effectively connect security to the business, and the more familiar Technical World where the CISO must continue to effectively communicate in terms of controls and benchmarks…
If you’ve been working in or around the IT security field for any amount of time, you are probably quite familiar with the term “Man-in-the-Middle” (MitM) as it relates to a method of attack.
What I’m even more interested in these days is an emerging typology, the new Man-in-the-Middle - or what I like to describe as being the “MitM Redux” - and in this context we are not referring to an attack method, but instead applying the term to describe a role that is becoming all the more common.
Security practitioners and infosec students who have crammed for the CISSP and GISP certification exams understand MitM to be a type of crypto attack that is usually explained by using the now ubiquitous characters Alice, Bob, and Mallory.
In the parable, Alice thinks she’s communicating privately with her friend Bob, but in actuality the malicious Mallory has secretly inserted herself in the middle of the conversation and is effectively eavesdropping on them, and in some instances she is able to also modify some the messages as she relays them between the two unwitting conversants.
The Man-in-the-Middle attack at one point in time was considered to be quite innovative, but not so much today. Would-be miscreants who want to utilize the technique can now simply buy the components “off the shelf” to carry out such an attack by employing ready-made toolkits like Ettercap, dsniff, and Mallory (a creative use of the classic MitM character’s name).
As interesting as they are, the goal of this discussion is not to further examine Man-in-the-Middle as an attack, but instead I seek to expand the terminology to describe the new CISO, who has become the real Man-in-the-Middle, increasingly finding him or herself caught between two very different worlds.
The first of which is the Executive World, where they need to be able to connect security to the business by practicing the soft art of Influence Without Power when speaking to a new audience in terms of critical business functions, of how security risks translate into business risks, of profit/loss considerations, and EBITDA – and if you know what the abbreviation means, then you are most likely already an MitM CISO.
The second and more familiar world is that of the Technical, where the CISO must continue to effectively communicate in terms of the attack surface, of incident management, of controls and control objectives, of CIS benchmarks, and network defense testing.
Many security and business analysts have attempted to qualify the dynamics of this evolving role for the new CISO, but in my honest opinion none have done a better job at it than the authors of a study conducted by IBM’s Center for Applied Insights, aptly titled “Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment” (the detailed results of which can be downloaded here at no cost).
The IBM report offers up some excellent data and provides some useful findings, some examples of which I found particularly interesting and included:
- The Focus is Shifting Towards Risk Management: “In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues.”
- The Archetypes are Real: CISOs and security leaders can be grouped into archetypes which include Responders, Protectors and Influencers, and each persona has a very distinct modus operandi in regards to working with and through their organizations. The report does a great job of not only fleshing out these different archetypes; it also provides keen insight into how one can morph from one archetype to the others.
- A Shift in Focus from the Local to the Global: “In general, the role of information security will be moving away from specific risks to global risks. The role will be much larger than it used to be,” the authors noted.
- Measures Really Matter: Think of this as gaining insight from the process of obtaining metrics, and not just from the numbers themselves. “Although metrics can be a challenge to define and capture, that should not deter organizations from implementing them. Measurement may be imprecise at first but will improve over time – and the process itself can drive valuable insight,” the report states.
I saw a lot of reports last year on the evolution that is defining the role of the new CISO, but this report is by far the best in show.
In the most general of terms, it illustrates the choice most all CISOs will face: Whether to continue being the “middleman” who translates up the chain and manages down through the organization while never really getting to land on one side or the other, or instead being more like the innovative CIOs and CFOs who before them had struggled to assume their rightful place at the strategy table, but only after mastering the soft skills required for executive leadership.
I think most CISOs will opt for the latter of the two choices, and it is up to those of us who call ourselves security “vendors” and “professionals” to assist them in making this important transition.
System State Intelligence and the Intrusion Kill Chain
BY DWAYNE MELANCON, CHIEF TECHNICAL OFFICER, TRIPWIRE
DM
Synopsis: In kill chain analysis, an attacker has to progress through stages before they achieve their objective, and it takes just one successful mitigation effort to thwart the attacker. SSI can increase the timeliness and accuracy of security incident detection efforts and increase the overall effectiveness of all network security tools.
The time has come to examine how System State Intelligence (SSI) relates to the “kill chain” - also known as the “intrusion kill chain,” or the “cyber kill chain”. Why? Because in most enterprises there is a bias toward the network-centric and event-centric elements of intrusion detection, and there needs to be better integration of the state-centric security elements in order to ultimately improve security effectiveness.
What is the Intrusion Kill Chain?
The kill chain concept is based on work conducted by Lockheed Martin’s Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D which is detailed in a paper titled, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” In a nutshell, the intrusion kill chain is a model that describes the order of events during an attack, and provides a method to segment, analyze, and mitigate the offensive.
The Lockheed paper defines a kill chain as “the structure of the intrusion, and the corresponding model [which] guides analysis to inform actionable security intelligence.” In other words, rather than trying to look at network security events in isolation as a separate population of data, they should be integrated by grouping them according to the attack vectors.
The intrusion kill chain can be thought of as “supply chain management” for cyber attacks, and the endgame is to produce an objective model for dealing with attacks as early in the process chain as possible by aligning responses to the stage and severity level of an attack.
A core assumption in any kill chain analysis is that an attacker has to progress through each stage of the chain before they achieve their objective, and it takes just one successful mitigation effort to disrupt this progress and thwart the attacker.
System State Intelligence (SSI)
System State Intelligence (SSI) is an approach to security that is designed to identify the leading indicators of any security compromise, to reduce the number of false positives, and in the end increase the accuracy of network incident detection.
Effective SSI requires the presence of several key capabilities. First of all, it must provide full awareness of the state of your network systems, including how they are configured and whether that configuration corresponds to policies. This level of awareness anchors system states to a recognizable baseline – a “known and trusted state.”
Secondly, SSI must include continuous monitoring of those systems for any changes or deviations from the baseline or the configuration policies, and must use this awareness to detect any unwarranted events in order to foster security-based context and prioritizations. SSI lets you continuously know what the state of your systems was, what it should be, and how it’s changing in real time.
How Does System State Intelligence Strengthen the Intrusion Kill Chain?
SSI contributes to the intrusion kill chain in most of the phases of an attack. The following table provides some examples:
This is not a comprehensive list, but should provide some food for thought about how SSI is involved in the intrusion kill chain.
SSI Can Improve the Effectiveness of Other Security Tools and Processes
In addition to the examples in the table above, SSI can also increase the timeliness and accuracy of security incident detection efforts, as well as increase the overall effectiveness of other network security tools. For example, it can reduce false positives because suspicious changes to the system state are really good initial indications of attack, and SSI alerts are typically free of false positives.
SSI can also find evidence of a compromise faster, because once SSI has identified a suspicious change to a group of systems that knowledge enables a more targeted investigation to ensue.
If you typically perform full-packet captures of data on your network, you end up with an overwhelming amount of data, which can be an obstacle when you are conducting an incident investigation. With SSI, you can begin the investigation by looking for something specific, such as the traffic that interacted with specific (compromised) systems at a certain time and which are associated with specific user accounts.
The Bottom Line
In short, using SSI to determine your starting points enables a more efficient, focused investigation, which enhances the value of your full-packet capture systems and increases the effectiveness of your Security staff. We are just barely scratching the surface here, but hopefully you can see that System State Intelligence is a core capability that will serve to strengthen your intrusion kill chain.
Tripwire is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
About Dwayne Melançon
Melançon joined Tripwire in 2000 and most recently served as Vice President of Products for Tripwire. He has spearheaded numerous initiatives during his tenure, including executive responsibility for business development, professional services and support, information systems and marketing. Prior to joining Tripwire, Melançon held leadership roles at DirectWeb, Inc., Symantec Corporation and Fifth Generation Systems, Inc. He is certified on both IT management and audit processes, holding both ITIL and CISA certifications, and is a frequent speaker at national and regional industry events.